Geo-Fencing Cryptographic Key Material

ABSTRACT

In representative embodiments, a geo-fence cryptographic key material comprising a geo-fence description defining a geographic area and associated cryptographic key material is assigned to an entity for use in authenticated communications. The validity of the cryptographic material changes state based on whether the entity is inside or outside the geographic area. This is accomplished in a representative embodiment by suspending the validity of the cryptographic key material when the entity is outside the geographic area and reinstating the validity of the cryptographic key material when the entity is inside the geographic area. A geographic update service determines the validity of the cryptographic material in part using location updates sent by the entity. Entities that are not geo-aware can delegate the location update to a geo-aware device. Encryption can be used to preserve privacy.

FIELD

This application relates generally to managing trust relationshipsbetween computer systems and, in an example embodiment, a system thatcreates a geographic fence for cryptographic key material.

BACKGROUND

In an authentication context aimed at authenticating a client against aservice using cryptographic key material, access is granted or deniedbased on cryptographic evidence that the authenticating client hascontrol over a specific key part, only known to the client, in the caseof an asymmetric cryptographic approach, or shared between the clientand the service provider, in the case of a symmetric cryptographicapproach. Various standards and technologies are employed to accomplishthe authentication of a client to a service, server, or peer such asX.509 certificates and related public key infrastructure (PKI) used inTransport Layer Security (TLS) and its predecessor, Secure Sockets Layer(SSL), Secure Shell (SSH) and its related infrastructure, and other suchtechnologies.

With the proliferation of sensitive and private information that isstored on and carried by computers, devices, networks and so forth,security and privacy have become increasingly important. Also,significant efforts have been devoted to minimizing attack surfaces innetworks to enhance security.

BRIEF DESCRIPTION OF DRAWINGS

The present disclosure is illustrated by way of example and notlimitation in the figures of the accompanying drawings, in which likereferences indicate similar elements and in which:

FIG. 1 illustrates a basic system where a system moves into and out of adefined geographic region;

FIG. 2 illustrates representative system interactions to issue andutilize geo-fenced key material;

FIG. 3 illustrates a representative flow diagram between a subscriberand key management system in some embodiments;

FIG. 4 illustrates a representative flow diagram between a geo-awaresystem and a geo-location update service in some embodiments;

FIG. 5 illustrates a representative flow diagram between a geo-awaresystem and a geo-location update service in some embodiments;

FIG. 6 illustrates representative system interactions to issue andutilize geo-fenced certificates;

FIG. 7 illustrates a representative flow diagram between a subscriber, aregistration authority and a certification authority;

FIG. 8 illustrates a representative flow diagram between a geo-awaresystem, a subscriber and a geo-location update service in someembodiments;

FIG. 9 illustrates a representative flow diagram for policy compliance;

FIG. 10 illustrates a representative SSH client and server support for ageo-fence attribute set;

FIG. 11 illustrates a representative mechanism to embed a geo-fenceattribute set in an X.509 certificate;

FIG. 12 illustrates a representative geo-fence attribute set; and

FIG. 13 is a block diagram of a machine in the example form of aprocessing system within which may be executed a set of instructions forcausing the machine to perform any one or more of the methodologiesdiscussed herein including the functions, systems and flow diagrams ofFIGS. 1-12.

DETAILED DESCRIPTION

In the following description, for purposes of explanation, numerousspecific details are set forth to provide a thorough understanding ofexample embodiments. It will be evident to one skilled in the art,however, that the present subject matter may be practiced without thesespecific details.

Overview

This disclosure describes systems and methods that include additionalevidence into the authentication infrastructure by associatinggeo-location positioning with the cryptographic key material used forauthentication. In the embodiments below, no specific representation ofthe geo-location coordinates is required. All that is needed is theability of a system or service to evaluate one or more geographiccoordinates to identify whether they fall within or outside of a definedgeographic area. Various mechanisms exist that accomplish this task andthat are suitable for use with the disclosure herein.

In representative embodiments, a client's cryptographic key material isassociated with a geo-fence attribute set that specifies parameters suchas a geographic region (e.g., defined by a geo-fence) within which theclient's cryptographic key material is authorized for authentication.The client's geo-location is compared to the geo-fence to identifywhether the client may establish authenticated communications using thecryptographic key material. Evidence of the client's location within thegeo-fence allows the client to establish authenticated communicationsusing the cryptographic key material, while a location outside the fenceresults in a suspension of the key material's applicability. Someembodiments support the reverse situation (e.g., the evidence of aclient being within a geo-fence might result in suspending thecryptographic key material, whereas a location outside the fencere-instates the key material). In some embodiments, a mandatory updatecontaining the location of the client allows the system to suspend theclient's key material if the client's location is unknown for apre-defined time interval. Additionally, or alternatively, crossing thegeo-fence may trigger an update containing the location of the client.

To meet privacy concerns regarding the encoding of geo-locationcoordinates and the tracing of a client's movements, an obfuscationscheme such as encryption can be employed to conceal the geo-locationcoordinates of the client. A delegation system can be used to identifyauthorized entities that can decrypt and utilize the geo-locationinformation.

If a geo-location sensor is unavailable or inaccessible on the samedevice where the cryptographic key material resides (e.g., the client),an authorization scheme for delegating decryption of the potentiallyencrypted geo-location coordinates as well as authenticating thegeo-location update messages on behalf of the geo-fenced cryptographickey material may be used. A real-time authorization protocol between thegeo-location aware device and the device bearing the cryptographic keymaterial based on a short distance protocol such as low power Bluetoothor a near-field communication may be used instead of or in addition to astatic authorization assignment.

In some embodiments, the geo-fence evaluation is processed on thegeo-location aware device (e.g., the client or delegated device)resulting in a geo-location update message or an immediate event triggerto update the status of the cryptographic key material (e.g., suspendedor reinstated). In other embodiments, a service receiving the updatemessage performs the evaluation instead (or in addition to). By tyingthe geo-location update exclusively to an imminent authentication or ifthe geo-fence evaluation is performed on the geo-location aware device,the number of geo-location update messages can be kept to a minimum.

In this specification reference is made to various standards publishedby the Internet Engineering Task Force (IETF). These standards arepublished in documents with the naming convention: RFC XXXX, where XXXXis a number. The standards (e.g., RFC documents) are available on theIETF website (www.ietf.org).

DEFINITIONS

In this disclosure, the following terms and definitions will be used.

-   -   Client means the system, user, device, account, and so forth        that initiates a secure connection, such as when a secure        connection request is sent. A system, device, virtual machine,        groups thereof, and so forth may have multiple clients.    -   Server means the system, host, device, account, and so forth        that receives a secure connection request (e.g., from a client).        A system, device, virtual machine, groups thereof, and so forth        may have multiple servers.    -   Client/Server means a system, device, virtual machine, groups        thereof and so forth that function both as a client and a server        (e.g., has at least one client and at least one server).    -   Entity is a term that encompasses at least system, device,        virtual machine, client, server, user, account, and so forth        that can utilize cryptographic key material as part of        authenticated communications.    -   Subscriber means an entity that requests or obtains        cryptographic key material for authenticated communications.    -   Certificate means an electronic document that uses a digital        signature to bind a public key with an identity. The certificate        can be used to verify that a public key belongs to an        individual, usually through cryptographic means and/or        protocols.    -   Geo-fence (GF) means a virtual perimeter for a real-world        geographic area. A geo-fence can be dynamically generated or can        be a predefined boundary and/or set of boundaries. A geo-fence        can be absolute, such as defining an absolute geographic area or        it can be relative such as defining a geographic area relative        to one or more reference locations (e.g., a geographic location        and/or coordinate) and/or landmarks (e.g., within a building or        on the corner of main and robin streets and so forth).    -   Geo-fence attribute set (GFAS) means a set of attributes that        form the basis for determining the validity status of        cryptographic key material associated with the GFAS. A GFAS may        be stored in a data structure of some sort or can be stored as        separate attributes or can exist as separate or groups of        attributes stored in various locations and/or data structures.        In other words, the GFAS need not be stored as a single        collection of attributes to be considered a GFAS. The GFAS can        include one or more of:        -   1. geo-fence information;        -   2. delegate identifier(s) and/or other delegate information            for things like delegation of decryption of various items,            delegation of geo-location determination, service where            geo-location update messages should be sent, delegation of            verification/validation of various items, and so forth;        -   3. policy information;        -   4. key instance(s) and/or identifier(s) of associated            cryptographic key material (e.g., some way to indicate the            related cryptographic key material); and/or        -   5. other information.    -   Geo-fenced certificate (GFC), sometimes referred to as a        geo-fence certificate, means a certificate having GFAS        information associated or embedded therewith.    -   Geo-fenced Key Material (GFKM), sometimes referred to as        geo-fence key material, is used herein to encompass both GFC and        GFAS and associated cryptographic key material.    -   Validity state, means the state of a GFC and/or cryptographic        key material associated with GFAS either as valid or as not        valid. In this disclosure terms like invalidate, suspend, revoke        and so forth will be used to indicate a state where the GFC        and/or cryptographic key material associated with GFAS is not        valid and terms like reinstate, reissue and so forth will be        used to indicate a state where the GFC and/or cryptographic key        material associated with GFAS is valid. No distinction is        intended other than to note that some implementations may        suspend and then reinstate the same GFC and/or cryptographic key        material while others may revoke the old GFC and/or        cryptographic key material and reissue a new GFC and/or        cryptographic key material.    -   Cryptographic key material means a key, key pair, key instance,        and so forth that is used in authenticated communications.    -   Key pair (KP) means a public/private key combination where the        private key may decrypt information encrypted by the public key        or where a public key verifies signatures created by the private        key.    -   Key set (KS) means all instances of a particular key pair. The        key set may be a client key set or a server key set.    -   Key instance (KI) means a single instance of a particular key or        key set. The key instance may be a client key instance, a server        key instance or a key set instance. Key instance may be part of        a key set, or a singular occurrence of a public or private key.    -   Key options mean one or more options provided by a particular        implementation (e.g. SSH or other implementation) such as source        control (e.g., allow and/or deny access from a particular source        to a particular destination), forced commands, source        restriction (e.g., allow and/or deny access based on source such        as the address, name, distinguished name, or other identifier of        a system or other location from which or to which connection may        be made), location control (including geographic, business,        current, and so forth), and other options that may apply to        limit or grant use of the trust relationship (e.g. no X11        forwarding, no agent forwarding, no port forwarding, etc.) and        so forth.    -   Key properties, also referred to as key characteristics, mean        one or more characteristics of a key, key pair, key set, key        instance, etc. such as key length, the algorithm used to        generate the key and so forth. Key characteristics also includes        properties about the key such as contact information of a person        responsible for or related to the key, authorized storage        location(s) for the key, and so forth.    -   Client Trust (CT) means a trust relationship where it is        established that a client private key is linked to the        authorized public key on a server. This is often evidenced by        way of having the client public key stored in server side        authorized key file.    -   Server Trust (ST) means a trust relationship where it is        established that the server public key is known by the client.        This is often evidenced by way of having the server public key        stored in client side user known host key file and/or global        known host key file.    -   Trust relationship means CT and/or ST. A trust relationship        exists where CT and/or ST exist between a client and server.

DESCRIPTION

The description that follows includes illustrative systems, methods,user interfaces, techniques, instruction sequences, and computingmachine program products that exemplify illustrative embodiments. In thefollowing description, for purposes of explanation, numerous specificdetails are set forth in order to provide an understanding of variousembodiments of the inventive subject matter. It will be evident,however, to those skilled in the art that embodiments of the inventivesubject matter may be practiced without these specific details. Ingeneral, well-known instruction instances, protocols, structures, andtechniques have not been shown in detail.

FIG. 1 illustrates a basic system 100 where a system 104 moves into andout of a defined geographic region 102. In describing FIG. 1, the termGFKM will be used with the understanding that different embodiments canuse GFC and/or GFAS with associated cryptographic key material. In thisillustration, the system 104 has a GFKM comprising geo-fence informationdefining a geographic region 102 and cryptographic key material (e.g.,in the form of a GFC and/or cryptographic key material associated withGFAS) for use in authenticated communications 116 with the system 106.The system 104 may be a client or a server, depending on the embodiment.As the system 104 moves across the geo-fence that defines the geographicregion 102, the status of the system's 104 associated GFKM is changedfrom suspended to reinstated, depending on the location of the system104.

In the illustrated embodiment, when the system 104 moves outside of thegeographic region 102, its GFKM is suspended as indicated by arrow 112.Thus, the system 110 represents the system 104 residing outside of thegeographic region 102 having its GFKM suspended (e.g., an invalid GFKM).While the system 110 resides outside of the geographic region 102, anyattempt to establish authenticated communications with the system 106will result in the system 106 discovering that the GFKM status for thesystem 110 is invalid. Thus the system 110 will be unable to establishauthenticated communications with the system 106. Unsuccessfulauthenticated communications between the system 110 (e.g., system 104now residing outside of the geographic region 102) and the system 106 isillustrated by arrow 118. The system 106 can include a service 108 thatchecks the validity of the system's 110 GFKM when authenticatedcommunications are attempted by the system 110.

When the system 110 moves inside of the geographic region 102, the GFKMis reinstated so that it is valid for authenticated communications.Reinstatement of the GFKM is illustrated by arrow 114 and successfulauthenticated communications between the system 104 and the system 106is illustrated by arrow 116. The system 104 represents the system 110residing inside of the geographic region 102 with a valid GFKM status.

While the embodiment of FIG. 1 discusses suspension and reinstatement ofthe GFKM, alternative embodiments can accomplish the same effect byrevoking the existing GFKM and issuing a new, valid GFKM rather thansuspending and then reinstating the same GFKM. In this disclosure termslike invalidate, suspend, revoke and so forth will be used to indicate astate where the GFKM is not valid and terms like reinstate, reissue,validate, and so forth will be used to indicate a state where the GFKMis valid. No distinction is intended other than to note that someimplementations may suspend and then reinstate the same GFKM and whileothers may revoke the old GFKM and reissue a new GFKM.

Various mechanisms exist in various embodiments to accomplish thesuspension and reinstatement of GFKM as an entity moves across ageo-fence. Typically such embodiments have 1) a mechanism for an entityto obtain appropriate cryptographic key material and an associatedgeo-fence; 2) a mechanism for updating the geo-location of the entity sothat its location can be assessed relative to a geo-fence; and 3) arepudiation service, validation service or other mechanism to ascertainthe validity of the cryptographic key material based on the location ofthe entity. The embodiments used to accomplish these mechanisms will bedifferent depending on the protocols and infrastructure used forauthentication. For example, X.509 certificates using a PKI forauthentication may implement the mechanisms differently than embodimentsbuilt upon SSH for authentication. Furthermore, some implementations mayrely on a custom or semi-custom collection of services, cryptographickey material, GFAS, systems and so forth to accomplish these functions.

Additionally, or alternatively, when GFKMs are issued, the validitystate can be set to be either valid or invalid. In some embodiments, thevalidity state is set to valid after issue and remains valid until thegeo-location of the system, the policies, and so forth indicate that itsstatus should be set to invalid. In some embodiments, the validity stateis set to invalid after issue and remains invalid until the geo-locationof the system, the policies, and so forth indicate that its statusshould be set to valid. While both approaches are appropriate indifferent situations, setting the “default” state to invalid and onlychanging the state to valid after the system shows that it meets thecriteria for a valid GFKM may provide a better default security state.The above “default” state discussion applies to all the embodimentsdescribed herein.

FIG. 2 illustrates representative system interactions 200 to issue andutilize GFKM in a general embodiment. This embodiment may be used, forexample, with SSH type authentication. In this embodiment, a subscriber202 obtains appropriate cryptographic key material. When SSH is used forauthentication, a key pair is generally generated on the subscribersystem. However, a centralized key management system 206 may also eithergenerate the key pair or direct generation of the key pair on subscriber202 so that the key pair complies with appropriate policies such asusing/assigning appropriate key properties and/or key options. Policiesrelating to key management on the centralized key management system 206may also define the geo-fence information to be associated withcryptographic key material. Interactions between the subscriber 202 andthe key management system 206 are indicated by arrow 204.

While implementations using SSH for authentication do not usually referto cryptographic key material as being embedded in or associated withcertificates, in describing the remainder of this embodiment, the termGFKM will be used. For the description of this embodiment, the term GFKMwill be used to refer to cryptographic key material and associated GFAS.Different SSH implementations may not store or relate the cryptographickey material and the GFAS in the same manner. For example, thecryptographic key material can be stored in a key file, as typicallydictated by various SSH implementations. The GFAS can be stored in thekey file and/or separately in a different location(s), as key options,as key properties, or in some other fashion. However, the cryptographickey material and GFAS are associated, along with other optionalinformation, to form the GFKM. As defined above, the information thatforms this GFKM can include one or more of the following information:

1) geo-fence information;

2) delegate identifier(s) and/or other delegate information for thingslike delegation of decryption of various items, delegation ofgeo-location determination, service where geo-location update messagesshould be sent, delegation of verification/validation of various items,and so forth;

3) policy information;

4) key instance(s) and/or identifier(s) of associated cryptographic keymaterial (e.g., some way to indicate the related cryptographic keymaterial); and/or

5) other information.

Different embodiments may have different combinations of the informationand store the information in different ways.

While some subscribers are geo-location aware, meaning that they havesensors or other means to determine the geo-location of the subscriber,other subscribers are not. Thus, in some embodiments, aspects related togeo-location can be delegated to a geo-location aware system/device 212.For example, the subscriber may be a user account located on a laptopwithout geo-location sensors (e.g., global positioning sensor (GPS),accelerometers, and so forth) while the geo-location aware device may bethe user's mobile phone, which has the ability to determine itsgeo-location.

Delegation may be accomplished via a real-time authorization protocolbetween the geo-location aware system 212 and the subscriber 202 basedon a short distance protocol such as low power Bluetooth or a near-fieldcommunication. Delegation may also be accomplished using a staticauthorization assignment, for example the appropriate policy may allow auser to use her specified mobile phone as the geo-location aware device.Thus, in some embodiments delegation uses static or pre-authorizeddelegation to a device or system. In other embodiments, dynamicdelegation is used. In still further embodiments, both static anddynamic delegation is used. In all of these embodiments, communicationsbetween the subscriber 202 and the geo-location aware system 212 may bewireless such as over low power Bluetooth or near field communication sothat delegation only occurs when the two systems are in close proximityto each other. In other embodiments wired connections can be used.

Whether delegation can occur, the conditions under which delegation canoccur, the mechanism used for delegation, the authorized entities thatcan be delegated to and so forth may be controlled by policies or insome other way. Policies can also be hierarchical in nature so that“lower” level policies can be overridden by “higher” level policies. Forexample, the user can authorize delegation, but the company can limit oroverride the authorization consistent with its security goals andinfrastructure. Thus, in some embodiments the key management system 206plays a role in determining authorized delegates, related conditionsand/or mechanisms. In other embodiments, the subscriber 202 plays a rolein determining authorized delegates, related conditions and/ormechanisms. In still further embodiments, a combination plays a role indetermining authorized delegates, related conditions and/or mechanisms.

Dashed box 214 indicates that the subscriber 202 and the geo-locationaware system 212 may be the same system, device, or so forth. From thispoint on, the description of FIG. 2 will refer to system 214 as a unit,rather than trying to differentiate embodiments where the subscriber 202and or the geo-location aware system 212 perform various actions.However, it will be clear to one of ordinary skill in the art how toapply this description to embodiments where delegation of geo-locationfunctions to the geo-location aware system 212 occurs.

Geo-location update service 218 ascertains when to change the validitystatus of the GFKM associated with system 214. As described elsewhere,determining the proper validity status of the GFKM associated withsystem 214 involves an assessment of the location of system 214 relativeto the geo-fence. Also as described elsewhere, in some embodiments,determining the proper validity status of the GFKM associated withsystem 214 also involves other information such as the time since thelocation of system 214 has been determined and/or other policyinformation. In some sense, the geo-fence information may be thought ofas just another aspect of a policy and some embodiments treat it assuch. The geo-fence evaluation is performed by different entities,depending on the embodiment. In some embodiments, the geo-fenceevaluation can be performed by the geo-location update service 218. Inother embodiments, the geo-fence evaluation can be performed by thesystem 214. In other embodiments, the geo-fence evaluation can beperformed by other entities.

In some embodiments, the location of the system 214 is passed to ageo-location update service 218 so that an assessment of the location ofthe system 214 relative to the geo-fence can be ascertained. Thelocation updates are indicated in the embodiment of FIG. 2 bygeo-location update message 216. The purpose of the geo-location updateservice 218 is to determine when to set the status of the GFKM as validand when to set the status of the GFKM as not valid based on thelocation of the system 214 and other relevant information. Theinformation in the geo-location update message 216 is sufficient toallow proper assessment of the conditions relevant to this determinationwhen coupled with information the geo-location update service 218 hasaccess to by other means. Thus, in some embodiments all the relevantinformation is sent via the geo-location update message. In otherembodiments some information is sent via the geo-location update messageand other information is either known locally or access remotely or acombination thereof. For example, the geo-location update service can beimplemented by or as part of a centralized key management system, suchas system 210. In such an implementation, the centralized key managementsystem may have access to all the information needed to perform theevaluation, except the geo-location of the system 214. Where thegeo-location update service is implemented separately from thecentralized key management system 210, a typical embodiment includes thelocation of the system 214 as well as relevant geo-fence information inthe geo-location update message. Different embodiments include eithermore or less information, such as the information outlined below.

In order to ascertain what the status of the GFKM should be, thegeo-location update service 218 accesses the location of the system 214,the geo-fence data associated with the cryptographic key material,and/or other information that may also be used to determine the validityof the GFKM. Such other information may be defined in one or morepolicies and contain things like a schedule (e.g., time of day, day ofweek, and so forth), the length of time since the last geo-locationupdate message, or any other desired information. Using the information,the geo-location update service 218 can apply various methods todetermine whether to change the validity status of the GFKM. Forexample, the GFKM of the system 214 is valid when the system 214 is oncorporate premises and it is a normal working day between the hours of 7a.m. and 6 p.m. and invalid otherwise. Additionally, or alternatively,if it has been more than a pre-defined time since a geo-location updatemessage has been received, the GFKM of the system 214 is marked invalid.The pre-defined period of time will depend on the security requirementsof the implementation, since the pre-defined period of time representssome measure of risk where the exact location of the system 214 isunknown. For example, in some embodiments 10 minutes may be a reasonabletime. In a higher security environment, a shorter period of time may bedesirable. In other embodiments, a longer period of time may besufficient.

The description above assumes that the geo-fence evaluation (e.g.,whether the system 214 is inside or outside the geo-fence) is evaluatedby the geo-location update service 218. In other embodiments, it may bepossible to delegate the geo-fence part of the evaluation to a differentsystem. In some embodiments, the geo-location aware device 212 (and/orthe combined system 214) performs the geo-fence evaluation. In otherembodiments, the geo-fence evaluation may be delegated to a differentsystem and/or service, such as the key management system 206 or anyother system and/or service that is authorized. The identification ofauthorized delegates for this aspect (e.g., evaluation of the locationof the system relative to the geo-fence) can be determined by a policyor combination of policies, which ultimately comply with theentity/entities that set the overriding policy, such as theauthentication service 226, the centralized key management system 206and/or validation/repudiation service 208. In embodiments where thegeo-fence evaluation is performed by the system 214 (or the delegatedgeo-location aware system 212), the results of the evaluation are sentto the geo-location update service 218 via the geo-location updatemessage 216. In further embodiments, the geo-location update message 216also contains information that allows the geo-location update service218 to verify the geo-fence evaluation and/or information that allowsthe geo-location update service 218 to trust the geo-fence evaluation.

The geo-location update message 216 is generally sent in a manner thatprevents such security problems as a replay attack, man in the middleattack, and so forth. In some embodiments, a secure protocol is used toestablish a secure, authenticated connection between the system 214 andthe geo-location update service 218. A protocol such as TLS is asuitable choice. A more general approach is used in other embodiments.This more general approach relies on the encryption of the geo-locationcoordinates along with other information to resist such attacks, such asclient and server generated nonce information. One suitable formulationis:

sgn_(prvC)(enc_(pubS)(GLI⊕nonce_(C)⊕nonce_(S))⊕nonce_(C))

Where:

-   -   GLI is the geo-location information for the system sending        updates (e.g., the system 214);    -   nonce_(C) is a nonce generated by the system sending updates        (e.g., the system 214);    -   nonce_(S) is a nonce generated by the system receiving the        updates (e.g., the geo-location update service 218);    -   pubS is a public key of the system receiving the updates (e.g.,        the geo-location update service 218);    -   prvC is a private key of the system sending the updates (e.g.,        the system 214);    -   enc_(x)( ) is an asymmetric cryptographic algorithm (e.g.,        public/private key encryption scheme) where the key x is used to        encrypt the data;    -   sgn_(x)( ) is a signing algorithm where the key x is used to        sign the data; and    -   ⊕ represents a concatenation.

The system 214 can use various triggering events to send a geo-locationupdate message. Examples of suitable triggering events include, but arenot limited to, a time period since the last update (e.g., messages aresent on a periodic basis), a change in location of the system 214,crossing the geo-fence, and/or combinations thereof. Thus in oneembodiment, the system 214 sends a geo-location update message 216whenever the system 214 crosses the geo-fence as well as at least everyso many minutes (e.g., 10 minutes).

Once the geo-location update service 218 determines what the status ofthe GFKM associated with the system 214 should be, it can report thestatus to a validation/repudiation service, such as thevalidation/repudiation service 208. The validation/repudiation service208 informs entities seeking to know the status of the GFKM whether theGFKM is valid or invalid. Such a service can be separate from, or partof, the key management system 206 as indicated by dashed box 210. In oneembodiment, the key management system 206 operates as a repudiationservice 208 to inform entities wishing to know the status of the GFKMwhether it is valid or invalid.

When the system 214 wishes to establish authenticated communication witha system, such as the system 224, it initiates communication using anappropriate authentication protocol and at least the cryptographic keymaterial. The system 224 checks the validity of the material using anauthentication service 226. The authentication service 226 checks thevalidity of the material with the validation/repudiation service 208.Assuming everything checks out, the system 224 can establish theauthenticated session(s) 222 based upon the cryptographic key material.

In some embodiments of FIG. 2, the authentication service 226 can bepart of the system 224 as indicated by box 228. In some of theseembodiments, the authentication service is that aspect of the system 224that implements the authentication protocol or that works in conjunctionwith the aspect of the system 224 that implements the authenticationprotocol.

While the description above focused on the system 214 having a GFKM,whose validity is based at least in part on the location of the system214 relative to a geo-fence, the same principles can be applied to thesystem 224. Thus, the system 224 may, in turn, have a GFKM whosevalidity depends, at least in part, on the location of the system 224.Thus, the system 224 would send geo-location updates to a geo-locationupdate service such as geo-location update service 218 which would thendetermine the validity state of the associated GFKM. In this way, thesystem 214 can authenticate the system 224 (and/or the combined system228) based on its GFKM as well to create a mutual authenticationsituation where both systems are authenticated, at least in part, basedon the validity of their respective GFKMs.

FIG. 3 illustrates a representative flow diagram 300 between asubscriber 302 and key management system 304 in some embodiments. Inorder to create a key pair associated with an appropriate geo-fence/GFAS(e.g., GFKM). Appropriate delegations are determined and the GFKM iscreated and deployed appropriately. The diagram of FIG. 300 illustratesvarious options for these operations for various embodiments.

Operation 306 and/or operation 318 represent generating a public/privatekey pair for the GFKM. As discussed above, in some embodiments, the keypair would be generated on the subscriber system 302 (e.g., operation306). In some embodiments, the key pair would be generated on the keymanagement system 304 (e.g., operation 318). In still furtherembodiments, the process of generating the public/private key pair issplit between the key management system 304 and the subscriber 302. Inthese latter embodiments, for example, the key management system 304 canaccess one or more policies to determine the appropriate key properties(e.g., key length, algorithm used to generate the key pair, and soforth), and the key management system 304 can initiate the appropriatekey generation on the subscriber 302. Thus, information such as the“what” and “how” are determined by the key management system 304 whilethe actual key generation is performed by the subscriber 302. In stillfurther embodiments, appropriate key properties are set by a combinationof policies and/or by an administrator.

Operation 308 and/or operation 320 represent identifying an appropriategeo-fence for the GFKM. The geo-fence to be associated with a GFKM isdetermined by a policy and/or set of policies and/or other suchinformation and/or some other way (e.g., set by an administrator). Insome embodiments, the policy and/or policies and/or other informationmay be known by, or available to, the subscriber 302. In theseembodiments, the appropriate geo-fence may be determined by thesubscriber 302 (e.g., operation 308). In other embodiments, the policyand/or policies and/or other information may be known by, or availableto, the key management system 304. In these embodiments, the appropriategeo-fence may be determined by the key management system 304 (e.g.,operation 320). In still further embodiments, some combination thereofmay be used.

Operation 310 and/or operation 322 represent delegation of geo-fenceevaluation. As discussed in conjunction with the embodiment of FIG. 2,various embodiments may delegate the geo-fence evaluation to ageo-location aware device, to a geo-location update service, and/or someother system. In various embodiments, authorized delegates for thisoperation are identified by a policy, a set of policies, anadministrator, or in some other fashion. Different embodiments selectdelegates based on policies (e.g., authorized delegates are identifiedby one or more policies), from a designated list, by a systemadministrator, based on some set of rules, and/or in some other fashion.Authorized delegate(s) are identified, for example, by a uniformresource locator (URL), a uniform resource identifier (URI), and/or someother identifier, and/or combinations thereof.

In some embodiments the subscriber 302 identifies the delegate(s) forthe geo-fence evaluation (e.g., operation 310). In other embodiments,the key management system 304 identifies the delegate(s) for geo-fenceevaluation (e.g., operation 322). In still further embodiments, acombination of the subscriber 302 and the key management system 304identify the delegate(s) (e.g., both operation 310 and operation 322).

An obfuscation scheme such as encryption can be employed in someembodiments to conceal the geo-fence information. Such is useful, forexample, if the information in the GFKM is public and there is a desirenot to make the exact nature of the geo-fence public as well. Inembodiments where the geo-fence information is encrypted, one or moredelegates can be identified that are authorized to decrypt the encryptedgeo-fence information. In various embodiments, authorized delegates forthis operation are identified by a policy, a set of policies, anadministrator, or in some other fashion. In some embodiment, thisdelegation identifies one or more entities that have access toappropriate keys and/or other information to accomplish decryption. Theauthorized delegate(s) are identified, for example, by a uniformresource locator (URL), a uniform resource identifier (URI), and/or someother identifier such as a key ownership identifier (e.g., as defined inRFC 5280), and/or combinations thereof which can be used to contactand/or connect with the delegate.

In certain embodiments the subscriber 302 identifies the delegate(s) forgeo-fence decryption (e.g., operation 312). In other embodiments, thekey management system 304 identifies the delegate(s) for geo-fencedecryption (e.g., operation 324). In still further embodiments, acombination of the subscriber 302 and the key management system 304identify the delegate(s) (e.g., both operation 312 and operation 324).

Not all of the information in operations 306/318, 308/320, 310/322,312/324 need be identified for all embodiments. Some embodiments mayhave some, but not all of the identified information. Some embodimentsmay have more information. Still other embodiments may have some of theinformation identified in operations 306/318, 308/320, 310/322, 312/324,but have additional information not listed in these operations. In otherwords, the information listed in these operations is representative, butnot exclusive. However, at a minimum, embodiments include thecryptographic key material as result of the operations 306/318 and thegeo-fence information as a result of the operations 308/320.

Once all the information has been identified, a GFKM can be created(such as a GFC for systems that use certificates) and/or the informationin the GFKM can be collected and stored in the appropriate location(s).This is indicated by operation 313 and/or operation 326 depending onwhether an embodiment has the information on the subscriber 302, the keymanagement system 304 or a combination thereof

In operation 328, the key management system 304 forwards the GFKM overto the subscriber system 302. The information is received by thesubscriber system 302 in operation 314 and the GFKM (or informationthereof) is deployed and/or stored appropriately in operation 316.

FIG. 4 illustrates a representative flow diagram 400 between a geo-awaresystem 402 and a geo-location update service 404 in some embodiments.The geo-aware system 402 may be a system that has sensors and/or othermeans to determine its location (e.g., system 214 of FIG. 2 and/orsystem 616 of FIG. 6), or it may be a system that is a delegate foranother system (e.g., system 212 of FIG. 2 and/or system 614 of FIG. 6).The geo-location update service 404 may be, for example, thegeo-location update service 218 of FIG. 2 and/or the geo-location updateservice 620 of FIG. 6.

In operation 406, the geo-aware system 402 determines its location suchas from a geo-location sensor or in some other fashion. Arrow 408represents the retrieval of the location information and/or informationfrom which the geo-aware system 402 can determine its location. In someembodiments, a geo-location can be retrieved from a sensor that is inproximity to the system, such as a mobile phone.

Operation 410 identifies whether to send a geo-location update message,such as when a triggering event has occurred. Triggering events caninclude, but are not limited to, crossing the geo-fence, the passage ofa designated period of time since the last geo-location update message,or some other triggering event. Thus, operation 406 and 410 may be donein reverse order if desired (e.g., the geo-aware system 402 may notretrieve/calculate its location until a triggering event occurs).Furthermore, if crossing the geo-fence is used as a triggering event,operation 410 may access the geo-fence as part of the decision to sendthe geo-location update message.

In operation 412 the geo-aware system 402 identifies where to send thegeo-location update message. In some embodiments, GFKM will store a URIor other identifier for the geo-location update service wheregeo-location update messages should be sent. Operation 412 representsthe system accessing such information to identify where to send themessage.

As discussed above, the geo-location update messages may be sent in amanner that prevents tampering or that prevents attacks such as the manin the middle attack or a replay attack. Mechanisms to transfer messagesin this way have been discussed elsewhere. Any of these mechanisms canbe used, but for purposes of illustration, operation 414 shows a secureconnection opened between geo-aware system 402 and geo-location updateservice 404. This operation represents any manner to transfer themessage in a way that provides sufficient security to meet the goals ofthe embodiment. One suitable option for many embodiments is TLS.Corresponding operation 424 on geo-location update service 404illustrates the actions taken by geo-location update service 404 to openthe secure connection.

Operation 418 represents constructing the geo-location update message,and operation 420 represents sending the message to the geo-locationupdate service 404. As discussed, the contents of the geo-locationupdate message vary from embodiment to embodiment. However, all willcontain sufficient information to allow the geo-location update serviceto evaluate the location of the system 402 relative to the geo-fence.Corresponding operation 426 illustrates receipt of the message by thegeo-location update service 404.

Operation 422 and operation 428 represent closing the secure connection.

Once the geo-location update service 404 has received the geo-locationupdate message, the service can perform the geo-fence evaluation todetermine whether the geo-aware system 402 is inside or outside thegeo-fence. Based on that evaluation, the validity state of the GFKM canbe set appropriately. This can be accomplished in several differentways. One way to accomplish this is to check the existing status of theGFKM, perform the evaluation and if the state should be changed,institute a change in the validity state of the GFKM. Another way is notto check the validity state of the GFKM, but to simply perform theevaluation, determine the appropriate state for the GFKM and initiate anupdate to the GFKM state. In this latter case, a state change may beinitiated even though the validity of the GFKM is in accord with theresults of the geo-fence evaluation.

In FIG. 4, the validity state of the GFKM is checked in operation 430.This operation can be performed by accessing the appropriate state if itis available to the geo-location update service 404 or, if not, thevalidity of the GFKM can be determined using an appropriate service,such as the validation/repudiation service 208 of FIG. 2 and/or theservice 610 of FIG. 6. Contacting such a service is illustrated by arrow432.

Operation 434 checks the validity of the geo-location update message.Such an operation may be desirable to ensure that the message has notbeen tampered with or ensure that it has no other problems.

If the message is encrypted, operation 436 decrypts the message. Thegeo-location update service 404 can decrypt the message if it has accessto the appropriate key(s) and if it is an approved delegate. If not, thegeo-location update service 404 utilizes an authorized delegate todecrypt the message.

If the geo-location or geo-fence data is encrypted, the data isdecrypted in operations 436 and/or 438, respectively. The geo-locationupdate service 404 can decrypt the message if it has access to theappropriate key(s). If not, it uses an authorized delegate to decryptthe message.

Operation 440 illustrates performing the geo-fence evaluation todetermine whether the geo-aware system 402 is inside or outside thedefined region. In appropriate embodiments, all or part of thisoperation can be delegated as indicated by arrow 442. For example, ifthe computation of the geo-location of the system relative to thegeo-fence is too complex or if delegation is appropriate to decryptencrypted information. Finally operation 444 indicates that thegeo-location update service 404 initiates a change in the validity ofthe GFKM if necessary based on its evaluation and based on otherinformation as explained elsewhere in this disclosure as indicated byarrow 446. What information is used in evaluating whether a state changeis initiated depends on the embodiment. Examples have been discussedabove and another example is discussed below in conjunction with FIG.11.

FIG. 5 illustrates a representative flow diagram 500 between a geo-awaresystem 502 and a geo-location update service 504 in some embodiments. Inthis embodiment, the geo-aware system performs the geo-fence evaluationitself and transfers the results of the evaluation. In some embodiments,the geo-aware system 502 also sends information that allows thegeo-location update service 504 to check the calculation or otherwiseverify the results are authentic. The geo-aware system 502 may be asystem that has sensors and/or other means to determine its location(e.g., system 214 of FIG. 2 and/or system 616 of FIG. 6), or it may be asystem that is a delegate for another system (e.g., system 212 of FIG. 2and/or system 614 of FIG. 6). The geo-location update service 504 maybe, for example, the geo-location update service 218 of FIG. 2 and/orthe geo-location update service 620 of FIG. 6.

In operation 506, the geo-aware system 502 determines its location suchas from a geo-location sensor or in some other fashion. Arrow 508represents the retrieval of the location information and/or informationfrom which the geo-aware system 502 can determine its location. In someembodiments, a geo-location can be retrieved from a sensor that is inproximity to the system, such as a mobile phone.

Operation 510 identifies whether to send a geo-location update message,such as when a triggering event has occurred. Triggering events caninclude, but are not limited to, crossing the geo-fence, the passage ofa designated period of time since the last geo-location update message,or some other triggering event. Thus, operation 506 and 510 may be donein reverse order if desired (e.g., the geo-aware system 502 may notretrieve/calculate its location until a triggering event occurs).Furthermore, if crossing the geo-fence is used as a triggering event,operation 512 may be performed as part of the decision to send thegeo-location update message.

In operation 512, geo-location aware system 502 accesses the geo-fencein order to be able to determine where it is with respect to thegeo-fence. The geo-fence evaluation is illustrated in operation 514.This evaluation determines whether the geo-aware system 502 resideswithin or outside of the region defined by the geo-fence. In thisembodiment, the geo-aware system 502 does not perform the entire task ofdetermining what the validity status of its own GFKM should be. It onlyperforms the evaluation relative to the geo-fence.

In operation 516 the geo-aware system 502 identifies where to send thegeo-location status message. In some embodiments, GFKM will store a URIor other identifier for the geo-location update service wheregeo-location status messages should be sent. Operation 516 representsthe system accessing such information to identify where to send themessage.

As discussed above, the geo-location update messages may be sent in amanner that prevents tampering or that prevents attacks such as the manin the middle attack or a replay attack. Mechanisms to transfer messagesin this way have been discussed above. Any of these mechanisms can beused, but for purposes of illustration, operation 518 shows a secureconnection opened between geo-aware system 502 and geo-location updateservice 504. This operation represents any manner to transfer themessage in a way that provides sufficient security to meet the goals ofthe embodiment. One suitable option for many embodiments is TLS.Corresponding operation 526 on geo-location update service 504illustrates the actions taken by geo-location update service 504 to openthe secure connection.

Operation 520 represents constructing the geo-location status message,and operation 522 represents sending the message to the geo-locationupdate service 504. The contents of the geo-location status message varyfrom embodiment to embodiment. However, all will contain sufficientinformation to allow the geo-location update service to determinewhether the geo-aware system 502 is inside or outside the geo-fence. Insome embodiments, additional information allowing geo-location updateservice 504 to validate the geo-fence evaluation performed by geo-awaresystem 502 is also included. Corresponding operation 528 illustratesreceipt of the message by the geo-location update service 504.

Operation 524 and operation 530 represent closing the secure connection.

Once the geo-location update service 504 has received the geo-locationstatus message, the service can determine the proper state of the GFKMand set it appropriately. As discussed with FIG. 4, this can beaccomplished in several different ways. One way to accomplish this is tocheck the existing status of the GFKM, perform the evaluation and if thestate should be changed, institute a change in the validity state of theGFKM. Another way is not to check the validity state of the GFKM, but tosimply perform the evaluation, determine the appropriate state for theGFKM and initiate an update to the GFKM state. In this latter case, astate change may be initiated even though the validity of the GFKM is inaccord with the results of the geo-fence evaluation.

In FIG. 5, the validity state of the GFKM is checked in operation 532.This operation can be performed by accessing the appropriate state if itis available to the geo-location update service 504 or, if not, thevalidity of the GFKM can be determined using an appropriate service,such as the validation/repudiation service 208 of FIG. 2 and/or service610 of FIG. 6. Contacting such a service is illustrated by arrow 534.

Although not depicted in FIG. 5, if the geo-location status message isencrypted or any of the data included in the geo-location status messageis encrypted, decryption can be performed as described previously.Delegation of the decryption can also occur in some embodiments.

Operation 536 checks the validity of the geo-location status message.Such an operation may be desirable to ensure that the message has notbeen tampered with or ensure that it has no other problems.

If the message contains information that allows the geo-location updateservice 504 to check the geo-fence evaluation performed by the geo-awaresystem 502, the check is performed in operation 538. Such a check maytake the form of verifying proof material associated with thecalculation, verifying the identity of the system that performed thecalculation, checking signature data, recalculating the geo-fenceevaluation, or any other such checks or verification.

Finally operation 540 and arrow 542 indicates that the geo-locationupdate service 504 initiates a change in the validity of the GFKM ifnecessary. What information is used in evaluating whether a state changeis initiated depends on the embodiment. Examples have been discussedabove and another example is discussed below in conjunction with FIG.11.

FIG. 6 illustrates representative system interactions 600 to issue andutilize geo-fenced certificates according to one embodiment. Such anembodiment is useful, for example, if an X.509 certificate forms thebasis for the GFC. Thus, the GFKM are GFCs in this embodiment. Theassociated PKI can for the basis for issuing and validating GFC, andother purposes as described below. The interactions are similar,although not necessarily identical, to those discussed in conjunctionwith FIG. 2 above and many of the same considerations apply.

In this embodiment, a subscriber 602 obtains appropriate cryptographickey material by creating a private/public key pair and embedding thepublic key into a certificate signing request (CSR) and sending the CSR604 to an appropriate registration authority 606. In some embodiments,the geo-fence information is included as part of the CSR. In otherembodiments, the geo-fence information is provided by another entity andembedded in the GFC by the certification authority as described below.

While some subscribers are geo-location aware, meaning that they havesensors or other means to determine the geo-location of the subscriber,other subscribers are not. Thus, in some embodiments, aspects related togeo-location can be delegated to a geo-location aware system/device 614.For example, the subscriber may be a user account located on a laptopwithout geo-location sensors (e.g., global positioning sensor (GPS),accelerometers, and so forth) while the geo-location aware device may bethe user's mobile phone, which has the ability to determine itsgeo-location.

Delegation may be accomplished via a real-time authorization protocolbetween the geo-location aware system 614 and the subscriber 602 basedon a short distance protocol such as low power Bluetooth or a near-fieldcommunication. Delegation may also be accomplished using a staticauthorization assignment, for example the appropriate policy may allow auser to use her specified mobile phone as the geo-location aware device.Thus, in some embodiments delegation uses static or pre-authorizeddelegation to a device or system. In other embodiments, dynamicdelegation is used. In still further embodiments, both static anddynamic delegation is used. In all of these embodiments, communicationsbetween the subscriber 602 and the geo-location aware system 614 may bewireless such as over low power Bluetooth or near field communication sothat delegation only occurs when the two systems are in close proximityto each other. In other embodiments wired connections can be used.

Whether delegation can occur, the conditions under which delegation canoccur, the mechanism used for delegation, the authorized entities thatcan be delegated to and so forth may be controlled by policies or insome other way. Policies can also be hierarchical in nature so that“lower” level policies can be overridden by “higher” level policies. Forexample, the user can authorize delegation, but the company can limit oroverride the authorization consistent with its security goals andinfrastructure. Thus, in some embodiments some management entity (e.g.,certificate management system, administrator, and so forth) plays a rolein determining authorized delegates, related conditions and/ormechanisms. In other embodiments, the subscriber 602 plays a role indetermining authorized delegates, related conditions and/or mechanisms.In still further embodiments, a combination plays a role in determiningauthorized delegates, related conditions and/or mechanisms.

Dashed box 616 indicates that the subscriber 602 and the geo-locationaware system 614 may be the same system, device, or so forth. From thispoint on, the description of FIG. 6 will refer to system 616 as a unit,rather than trying to differentiate embodiments where the subscriber 602and/or the geo-location aware system 614 perform various actions.However, it will be clear to one of ordinary skill in the art how toapply this description to embodiments where delegation of geo-locationfunctions to the geo-location aware system 614 occurs.

In some embodiments, additional information (in addition to thegeo-fence information described above) included in the CSR can include,but is not limited to identifiers and other information related todelegates (e.g., geo-location aware system 614, systems that areauthorized to decrypt and/or validate encrypted information, etc.),policy information that describes conditions for GFC state change, andso forth. As with the geo-fence information, this information may beprovided by another entity and made part of the GFC as described below.In summary, a CSR may include one or more of the following in anycombination:

1) geo-fence information;

2) delegate identifier(s) and/or other delegate information for thingslike delegation of decryption of various items, delegation ofgeo-location determination, service where geo-location update messagesshould be sent, delegation of verification/validation of various items,and so forth;

3) policy information;

4) key instance(s) and/or identifier(s) of associated cryptographic keymaterial (e.g., some way to indicate the related cryptographic keymaterial); and/or

5) other information.

This information may also be part of the issued GFC.

When the CSR is received by registration authority 606, the registrationauthority validates/verifies the CSR and, in some embodiments, theinformation included in the CSR. For example, the registration authority606 can vet the subscriber's claim for the issuance of the GFC. If thesubscriber is not authorized to submit a CSR for the GFC it desires, theCSR can be rejected. The certification authority can also check for theapplicability of any templates and/or template information applicable tothe CSR. If possible, the registration authority 606 alsovalidates/verifies the other information in the CSR such as any of theinformation listed above.

Templates and template information are used in some embodiments toprovide any or all of the information in the CSR. As an example, anadministrator determines that a subscriber from a particular departmentsubmitting a CSR has a pre-defined geo-fence around one or moredesignated geographic regions, such as the locations where thedepartment has operations. A template can provide this geo-fenceinformation for all CSRs created by subscribers from that department.Thus, the geo-fence information is provided by an authorized entity andthe registration authority 606 uses templates to enforce and simplifythe process. In some embodiments, rules and/or policies can determinewhat the registration authority 606 does with conflicting and/orinconsistent and/or additional information coming from the subscriber602 and/or the template.

Once the certification authority 606 finishes validating the CSR and/orthe information in the CSR, as well as utilizing any applicabletemplates and/or template information, the registration authority 606forwards the CSR to the certification authority 608.

The certification authority 608 issues the GFC according to its policiesand applies any templates and/or template information. The certificationauthority 608 can also embed the URI and/or other identifier for thegeo-location update service that should receive geo-location updatemessages. The certification authority can also encrypt the GFAS part ofthe certificate and/or specific information therein like the geo-fenceinformation.

The dashed box 610 indicates that citification authority 608 andregistration authority 606 may be the same system in some embodiments.Thus, a reference to a combined system (e.g., the system 610) should betaken in this disclosure to also be a reference to the particularindividual system (e.g., the certification authority 608 or theregistration authority 606) as appropriate.

The geo-location update service 620 ascertains when to change thevalidity status of the GFC associated with the system 616. As describedelsewhere, determining the proper validity status of the GFC associatedwith the system 616 involves an assessment of the location of the system616 relative to the geo-fence. Also as described elsewhere, in someembodiments, determining the proper validity status of the GFCassociated with the system 616 also involves other information such asthe time since the location of the system 616 has been determined and/orother policy information. The geo-fence evaluation is performed bydifferent entities, depending on the embodiment. In some embodiments,the geo-fence evaluation can be performed by the geo-location updateservice 620. In other embodiments, the geo-fence evaluation can beperformed by the system 616. In other embodiments, the geo-fenceevaluation can be performed by other entities.

In some embodiments, upon a triggering event, the location of the system616 is passed to a geo-location update service 620 so that an assessmentof the location of the system 616 relative to the geo-fence can beascertained. The location updates are indicated in the embodiment ofFIG. 6 by geo-location update message 618. The purpose of thegeo-location update service 620 is to determine when to set the statusof the GFC as valid and when to set the status of the GFC as not validbased on the location of the system 616 and other relevant information.The information in the geo-location update message 618 is sufficient toallow proper assessment of the conditions relevant to this determinationwhen coupled with information the geo-location update service 620 hasaccess to by other means. Thus, in some embodiments all the relevantinformation is sent via the geo-location update message. In otherembodiments some information is sent via the geo-location update messageand other information is either known locally or access remotely or acombination thereof. A typical embodiment includes the location of thesystem 616 as well as relevant geo-fence information in the geo-locationupdate message. Such can be determined, for example, by sending the GFCin the geo-location update message 618 along with the location of thesystem 616. Different embodiments include either more or lessinformation, such as the information outlined below.

In one representative embodiment, in order to ascertain what the statusof the GFC should be, the geo-location update service 620 accesses thelocation of the system 616, the geo-fence data associated with the GFC,and/or other information that may also be used to determine the validityof the GFC. Such other information may be defined in one or morepolicies and contain things like a schedule (e.g., time of day, day ofweek, and so forth), the length of time since the last geo-locationupdate message, or any other desired information. Using the information,the geo-location update service 620 can apply various methods todetermine whether to change the validity status of the GFC. For example,the GFC of the system 616 is valid when the system 616 is at anauthorized remote location (defined by the geo-fence information) and itis not a holiday and the time is between 7 p.m. and 10 p.m. and invalidwhen the system 616 is otherwise not located on the corporate campus.Thus, a rich set of rules and conditions, which can be different fordifferent geo-fence locations, can be applied to the validity status ofthe GFC. Additionally, or alternatively, if it has been more than apre-defined time (e.g., 10 minutes or other time appropriate to thesecurity environment) since a geo-location update message has beenreceived, the GFC of the system 616 is marked invalid.

The description above assumes that the geo-fence evaluation (e.g.,whether the system 616 is inside or outside the geo-fence) is evaluatedby the geo-location update service 620. In other embodiments, it may bepossible to delegate the geo-fence part of the evaluation to a differentsystem. In some embodiments, the geo-location aware device 614 (and/orthe combined system 616) performs the geo-fence evaluation. In otherembodiments, the geo-fence evaluation may be delegated to a differentauthorized system and/or service. The identification of authorizeddelegates for this aspect (e.g., evaluation of the location of thesystem relative to the geo-fence) can be determined by a policy orcombination of policies. Furthermore, delegation can be conditional andbased on factors such as proximity to a geo-aware device/system,location of the system associated with the GFC, time of day,connectivity, and/or other information. In embodiments where thegeo-fence evaluation is performed by the system 616 (or the delegatedgeo-location aware system 614), the results of the evaluation are sentto the geo-location update service 620 via the geo-location updatemessage 618. In further embodiments, the geo-location update message 618also contains information that allows the geo-location update service620 to verify the geo-fence evaluation and/or information that allowsthe geo-location update service 620 to trust the geo-fence evaluation.

The geo-location update message 618 is generally sent in a manner thatprevents such security problems as a replay attack, man in the middleattack, and so forth. In some embodiments, a secure protocol is used toestablish a secure, authenticated connection between the system 616 andthe geo-location update service 620. A protocol such as TLS is asuitable choice. A more general approach is used in other embodiments.This more general approach relies on the encryption of the geo-locationcoordinates along with other information to resist such attacks, such asclient and server generated nonce information. One suitable formulationis:

sgn_(prvC)(enc_(pubS)(GLI⊕nonce_(C)⊕nonce_(S))⊕nonce_(C))

Where:

GLI is the geo-location information for the system sending updates(e.g., the system 214);

nonce_(C) is a nonce generated by the system sending updates (e.g., thesystem 214);

nonce_(S) is a nonce generated by the system receiving the updates(e.g., the geo-location update service 218);

pubS is a public key of the system receiving the updates (e.g., thegeo-location update service 218);

prvC is a private key of the system sending the updates (e.g., thesystem 214);

enc_(x)( ) is an asymmetric cryptographic algorithm (e.g.,public/private key encryption scheme) where the key x is used to encryptthe data;

sgn_(x)( ) is a signing algorithm where the key x is used to sign thedata; and

⊕ represents a concatenation.

The system 616 can use various triggering events to know when to send ageo-location update message. Examples of suitable triggering eventsinclude, but are not limited to, a time period since the last update(e.g., messages are sent on a periodic basis), a change in location ofthe system 616, crossing the geo-fence, and/or combinations thereof.Thus in one embodiment, the system 616 sends a geo-location updatemessage 618 whenever the system 616 crosses the geo-fence as well as atleast every so many minutes (e.g., 10 minutes).

Once the geo-location update service 620 determines what the status ofthe GFC associated with the system 618 should be, it can report thestatus to a validation/repudiation service, such as certificationauthority 610. The certification authority 610 informs entities seekingto know the status of the GFC whether the GFC is valid or invalid.Initiating a status change in the context of PKI can be accomplished inseveral ways. The PKI uses certificate revocation lists (CRL) and DeltaCRLs to track certificates that have been revoked and are no longervalid. One mechanism that some embodiments use is to revoke the statusof GFCs that are no longer valid. When the system, such as system 616moves to a geo-location where the GFC can be reinstated, a process couldbe started to issue a new GFC to the system. This embodiment canincrease the overall complexity of the implementation due to the need togenerate a new key pair and issue a new certificate every time thecertificate should be reinstated.

Another embodiment utilizes the ability of the PKI to indicate why aspecific certificate has been revoked. A certificate can be temporarilysuspended by assigning the reason code certificateHold. Once listed as arevoked certificate in a published CRL, the corresponding certificatewill be repudiated by relying parties until either a subsequentlypublished CRL removes the certificate's serial number from its list ofrevoked certificates or—if applicable—a Delta CRL marks thecertificate's entry with the reason code removeFromCRL. Thus, in thisembodiment, the geo-location update service would initiate a validitystatus change to invalid by indicating the relevant GFC should berevoked and attaching the certificateHold reason code. The revokedcertificate would then be included in the CRL with the attachedcertificateHold reason code. When the certificate should be reinstated,the geo-location update service would initiate a change to remove thecertificate from the CRL or—if applicable—a Delta CRL marks thecertificate's entry with the reason code removeFromCRL.

When the system 616 wishes to establish authenticated communication witha system, such as the system 626, it initiates communication using anappropriate authentication protocol (e.g., TLS) using the X.509certificate with the GFC information. The system 626 checks the validityof the material using an authentication service 628 as indicated byarrow 630. The authentication service 628 checks the validity of thematerial by checking CRL, Delta CRL and/or by querying an onlinecertificate status protocol (OCSP) responder. This is illustrated inFIG. 6 by validation 632 which queries certification authority 608and/or PKI 610. Assuming everything checks out, the system 626 canestablish the authenticated session(s) 624 based upon the cryptographickey material.

In some embodiments of FIG. 6, the authentication service 628 can bepart of the system 626 as indicated by the dashed box surrounding them.In some of these embodiments, the authentication service is that aspectof the system 626 that implements the authentication protocol or thatworks in conjunction with the aspect of the system 626 that implementsthe authentication protocol.

While the description above focused on the system 616 having a GFC,whose validity is based at least in part on the location of the system616 relative to a geo-fence, the same principles can be applied to thesystem 626. Thus, the system 626 may, in turn, have a GFC whose validitydepends, at least in part, on the location of the system 626. Thus, thesystem 626 would send geo-location updates to a geo-location updateservice such as geo-location update service 620 which would thendetermine the validity state of the associated GFC. In this way, thesystem 616 can authenticate the system 626 (and/or the combined system626 and authentication service 628) based on its GFC as well to create amutual authentication situation where both systems are authenticated, atleast in part, based on the validity of their respective GFCs.

FIG. 7 illustrates a representative flow diagram 700 between asubscriber 702, a registration authority 704 and a certificationauthority 706, such as those illustrated in FIG. 6.

Operation 708 represents generating a public/private key pair for theGFC. In some embodiments, the key pair would be generated on thesubscriber system 702 (e.g., operation 708). In some embodiments, apolicy or other system (e.g., a certificate or credential managementsystem) would either generate the key pair or would initiate generationof the key pair on the subscriber system 702 with appropriate optionsand in an appropriate manner to ensure the key pair complies with one ormore policies. In other words, a certificate/credential managementsystem can access one or more policies to determine the appropriate keyproperties (e.g., key length, algorithm used to generate the key pair,and so forth), and can initiate the appropriate key generation on thesubscriber 702. In other embodiments, the subscriber system 702 hasaccess to one or more policies, information from administrators, or canaccess the appropriate key properties so that it will generate a keypair that complies with all relevant security requirements.

Operation 710 represents identifying an appropriate geo-fence for theGFC. The geo-fence to be associated with a GFC is determined by a policyand/or set of policies and/or other such information and/or some otherway (e.g., set by an administrator). In some embodiments, the policyand/or policies and/or other information may be known by, or availableto, the subscriber 702. In these embodiments, the appropriate geo-fencemay be determined by the subscriber 702 (e.g., operation 710). In otherembodiments, the policy and/or policies and/or other information may beknown by, or available to, some sort of certificate/credentialmanagement system. In these embodiments, the appropriate geo-fence maybe determined by that system and retrieved by the subscriber 702. Stillfurther embodiments use templates and/or template information asdescribed in FIG. 6 to identify an appropriate geo-fence for thecertificate. In these embodiments, registration authority 704 and/orcertification authority 706 will supply the geo-fence information.

Operation 712 represents delegation of geo-fence evaluation. Asdiscussed in conjunction with the embodiment of FIGS. 2 and 6, variousembodiments may delegate the geo-fence evaluation to a geo-locationaware device, to a geo-location update service, and/or some othersystem. Different embodiments select delegates based on policies (e.g.,authorized delegates are identified by one or more policies), from adesignated list, by a system administrator, based on some set of rules,and/or in some other fashion. Authorized delegate(s) are identified, forexample, by a uniform resource locator (URL), a uniform resourceidentifier (URI), and/or some other identifier, and/or combinationsthereof.

In some embodiments the subscriber 702 identifies the delegate(s) forthe geo-fence evaluation (e.g., operation 712). In other embodiments,another system identifies the delegate(s) for geo-fence evaluation andsubscriber 712 retrieves the appropriate information. In still furtherembodiments, the registration authority 704 and/or the certificationauthority 706 provide the information via templates and/or templateinformation as explained elsewhere.

An obfuscation scheme such as encryption can be employed in someembodiments to conceal the geo-fence information. Such is useful, forexample, if the information in the GFC is public and there is a desirenot to make the exact nature of the geo-fence public as well. Inembodiments where the geo-fence information is encrypted, one or moredelegates can be identified that are authorized to decrypt the encryptedgeo-fence information. In various embodiments, authorized delegates forthis operation are identified by a policy, a set of policies, anadministrator, or in some other fashion. In some embodiment, thisdelegation identifies one or more entities that have access toappropriate keys and/or other information to accomplish decryption. Theauthorized delegate(s) are identified, for example, by a uniformresource locator (URL), a uniform resource identifier (URI), and/or someother identifier such as a key ownership identifier (e.g., as defined inRFC 5280), and/or combinations thereof which can be used to contactand/or connect with the delegate.

In certain embodiments the subscriber 702 identifies the delegate(s) forgeo-fence decryption (e.g., operation 714). In other embodiments,another system identifies the delegate(s) for geo-fence decryption andthe subscriber 702 retrieves the relevant information. In still furtherembodiments, the registration authority 704 and/or the certificationauthority 706 provide the information via templates and/or templateinformation as explained elsewhere.

Not all of the information in operations 710, 712 and 714 need beidentified for all embodiments. Some embodiments may have some, but notall of the identified information. Some embodiments may have moreinformation. Still other embodiments may have some of the informationidentified in operations 710, 712 and 714 but have additionalinformation not listed in these operations. In other words, theinformation listed in these operations is representative, but notexclusive. However, at a minimum, embodiments include the cryptographickey information as result of the operation 708 and the geo-fenceinformation as a result of the operation 710. If templates are employed,in addition to or instead of a geo-fence region supplied by thesubscriber, a geo-fence may be determined by the template.

Once all the information has been identified, a CSR for the GFC can becreated and sent to the registration authority 704 as indicated byoperations 716 and 722.

Once the registration authority 704 receives the CSR, the registrationauthority 704 verifies the information that it can verify in operation724. This includes, but is not limited to, verifying the CSR itselfalong with the geo-fence information and other information in the CSR.

In operation 728 the registration authority 704 checks for templatesand/or template information that should be utilized as part of the CSR.The use of templates and/or template information has been previouslyexplained.

If the geo-fence information is to be encrypted and if the geo-fenceinformation is not already encrypted, the registration authority 704 mayencrypt the information in operation 728. The use of encryption toobscure the geo-fence information has been previously discussed.

Once the registration authority 704 has verified all information, addedinformation from templates, and/or encrypted the data necessary, theregistration authority 704 forwards the CSR to the certificationauthority 706 as indicated in operations 730 and 732.

The certification authority 706 that receives the CSR issues the GFC(such as an X.509 certificate with embedded GFAS information) accordingto its policies and procedures in operation 734. The certificationauthority 706 can also optionally embed the URI for the geo-locationupdate service that should be used with the certificate in operation736. Also optionally, the certification authority 706 can encrypt thegeo-fence information as indicated in operation 738 to the extent thatthe information is not already encrypted.

Once the GFC is created, the certification authority 706 forwards theGFC to the subscriber 702 as indicated by operations 740 and 718. Thesubscriber 702 then deploys the GFC as appropriate (e.g., to adelegate).

FIG. 8 illustrates a representative flow diagram 800 between a geo-awaresystem 802, a subscriber 804 and a geo-location update service 806 insome embodiments. This diagram is intended to illustrate an exampleembodiment of a subscriber 804 working with a geo-aware system 802 thathas been delegated certain operations (e.g., such as the operationsdiscussed in conjunction with the subscribers of FIGS. 2, 3, 6 and 7).In most, if not all, embodiments, any operation that would be performedby a geo-aware subscriber can be delegated to a geo-aware system workingwith a subscriber as a delegate. However, some operations will morenaturally be performed at one and/or the other in the situation where anon-geo-aware subscriber works with a geo-aware system as a delegate. Asdiscussed elsewhere, a geo-aware delegate working with a non-geo-awaresubscriber can communicate and/or establish the delegation using astatic delegation or some form of short-range protocol and/or technologysuch as a wired connection, low power Bluetooth, near-fieldcommunication and such. The purpose of using these type of connections,protocols, and technologies is to help ensure that the device that isgeo-aware is in close proximity to the device that is not geo-aware.Otherwise, it may be possible to report incorrect location informationfor the non-geo-aware subscriber.

The subscriber 804 checks its delegations in operation 818. Thisoperation identifies the whether an operation should be delegated and,if so, which entity it should be delegated to. Operation 820 establishesthe delegation with the appropriate geo-aware system 802. As explainedelsewhere, the delegation can be dynamic based on proximity and/or otherinformation of the delegate to the subscriber 804, or the delegation canbe static (e.g., established before hand). In the static case, certaininformation and/or characteristics can be checked before the delegate isactually allowed to perform the action (such as checking for proximityof the delegate, for example).

Operation 808 checks the delegation and ensures the geo-aware system 802is capable of carrying out the delegated operation, that the propersystem is requesting the operation, and so forth. Operation 810illustrates the geo-aware system 802 performing the delegated operationsand the results are returned in operation 812.

Once the results are received (e.g., operation 822), the subscriber 804can forward the results or, for example, create a geo-location update orstatus message and send to the geo-location update service 806 asindicated in operation 824. Alternatively, or additionally, interactionswith the geo-location update service 806 can be performed by thegeo-aware system 802 as indicated by operation 814 and arrow 816.

FIG. 9 illustrates a representative flow diagram 900 for policycompliance based on any desire factor and/or rules. Examples of factorsand/or rules that can be checked for policy compliance are a schedule,such as time of day, day of week and so forth, a time period since thelast update was received, or any other factors and/or rules to performcomplex logic for the validity of the GFKM. No attempt has been made inFIG. 9 to separate out functions that are performed by one system vs. asystem and a delegate, such as those embodiments described above.However, certain functions can be delegated as previously described suchas geo-fence evaluation.

The method starts at 902 and proceeds to operation 904, which tests forpolicy compliance. For example, if the policy states that thecryptographic material is valid for authentication during working hours,then the policy compliance operation 904 would test whether it iscurrently during working hours. As another example, if the policy statedthat the certificate was valid during weekends as long as thegeo-location has been checked in the last 4 minutes, then operation 904would check these conditions. If the system is not in compliance withpolicy, the status of the GFKM should be set to invalid. Thus, executionproceeds to operation 922 where the validity status of the GFKM ischecked. If the GFKM certificate is already suspended (e.g., invalid),no action needs to be taken as indicated by operation 930. If the GFKMcertificate is valid, the no branch 924 is taken and the status of theGFKM is changed to invalid as indicated in operation 932.

If the system is in compliance with policy, execution proceeds tooperation 910, which waits until an update message is received. Thus,the combination of operations 904 and 910 wait until either the systemis not in compliance with policy or until an update message is received.

When a geo-location update message is received, execution proceeds tooperation 916. In operation 916 the location of the geo-aware system ischecked against the geo-fence. Thus, operation 916 checks the geo-fenceaspect of any policies. Assuming a policy where a GFKM is valid insidethe geo-fence and invalid outside it, if it is inside the geo-fence,then the GFKM should be indicated as valid. Execution thus proceeds tooperation 928 and if the GFKM is already valid, no action is taken asindicated by operation 934. If, however, the GFKM is suspended,execution proceeds to operation 932 and the status of the GFKM ischanged to reinstated.

When the geo-aware system is outside the geo-fence, the GFKM should bemarked as suspended. Thus, the “no” branch 918 is taken out of operation916 and the validity of the GFKM is checked in operation 922. If theGFKM is already suspended, no action is taken as indicated by operation930. If, however, the certificate is valid, execution proceeds tooperation 932 and the status of the GFKM is changed to suspended.

FIG. 10 illustrates a representative SSH client 1012 and server 1002support 1000 for GFKM. As previously mentioned, SSH does not usecertificates as such in most implementations. However, cryptographic keymaterial is the basis for authenticated communications and suchcryptographic key material can be associated with a GFAS in order toform GFKM. In addition to cryptographic key material (e.g., various keyinstances), many SSH implementations have additional key options andother information that serve many of the same purposes as information inother certificate implementations such as key expiry, periodic keyrotation, selecting key parameters/options to comply with varioussecurity concerns, and so forth.

In the definitions section, a client is the system, user, device,account, and so forth that initiates a secure connection, such as when asecure connection request is sent, while a server is the system, host,device, account, and so forth that receives a secure connection request(e.g., from a client). Systems (or other entities) can act as both aclient and a server and systems can have multiple clients and/or serverson them. Thus, the information used to support a GFKM implementation canvary for clients and servers and from implementation to implementation.The illustration of FIG. 10 is meant to be a representative illustrationand other embodiments can have different implementations and/ordifferent information and/or store the same information in a differentmanner.

Returning for a moment to the discussion of FIG. 2, the system 214 usedthe GFKM information to establish an authenticated session 222 with thesystem 224. In this fashion, the system 214 functions as a client andthe system 224 functions as a server. Looking at the describedoperation, the system 214 sends a geo-location update message togeo-location update service 218 in order to allow the validity status ofthe GFKM material to be properly determined. The server, however, needsthe cryptographic key material used to establish the authenticatedsession as well as a way to determine how to contact thevalidation/repudiation service to determine the validity status of theGFKM related information. Thus, as explained in conjunction with theembodiment of FIG. 2, the GFKM related information may include one ormore of the following information:

1) geo-fence information;

2) delegate identifier(s) and/or other delegate information for thingslike delegation of decryption of various items, delegation ofgeo-location determination, service where geo-location update messagesshould be sent, delegation of verification/validation of various items,and so forth;

3) policy information;

4) key instance(s) and/or identifier(s) of associated cryptographic keymaterial (e.g., some way to indicate the related cryptographic keymaterial); and/or

5) other information.

Most, if not all, SSH implementations support various key file headersin the SSH key file. These headers include, for example, a subjectheader, a comment header, and private use headers; the latter arereserved for private use. Thus, SSH client support 1012 in someembodiments are implemented by storing the GFAS or client subset thereofin geo-fence header 1018 stored as a private use header 1016 section inthe key file 1014. Thus, geo-fence header 1018 represents the GFAS orclient subset thereof. The GFAS or client subset thereof is thosegeo-fence attributes used by the client in authenticated communications.

The SSH server support 1002 in some embodiments stores its GFAS orserver subset thereof as SSH key options. Thus, the SSH server support1002 has an SSH key list storing client information (e.g., authenticatedkeys) 1004 with various key options 1006 including SSH key options 1008for the particular client key. A section of the client key options 1008can include the relevant GFAS stored as geo-fence options 1010.

A representative GFAS is illustrated in FIG. 12.

FIG. 11 illustrates a representative mechanism to embed a relevant GFAS1132 in an X.509 certificate, shown generally as 1100. An X.509certificate 1102 comprises numerous attributes 1104 that are defined inspecifications, such as RFC 5280. One mechanism to associate GFAS 1132with and/or embed GFAS 1132 in an X.509 certificate 1102 is to use theX.509 extension attribute 1130, which is available starting with version3 of the X.509 certificates. As indicated in RFC 5280, the extensionsdefined for X.509 v3 certificates provide methods for associatingadditional attributes with users or public keys and for managingrelationships between certification authorities. The X.509 v3certificate format also allows communities to define private extensionsto carry information unique to those communities. Each extension in acertificate is designated as either critical or non-critical. The GFAS1132 is placed in this area of the X.509 certificate in manyembodiments. A representative embodiment describing the contents of theGFAS 1132 is described in FIG. 12, below.

FIG. 12 illustrates a representative GFAS, shown generally as 1200. TheGFAS 1202 can include various attributes, not all of which need be usedin every embodiment. The representative GFAS 1202 of FIG. 12 can beassociated with cryptographic key material to produce GFKM, such as usedwith an SSH embodiment (e.g., stored in the SSH public key file to whichthe GFAS is attached to, referenced by the authorized key list of theSSH server the GFAS is embedded in, or otherwise) or with an embodimentusing GFC (e.g., an X.509 certificate plus GFAS such as that illustratedin FIG. 11). All embodiments will, at a minimum, have the geo-fencedescription attribute 1210. As the GFAS is associated with cryptographickey material to form GFKM, many embodiments include some mechanism ofindicating the cryptographic key material that is associated with theGFAS. Such a mechanism can be internal to the GFAS/GFKM like anidentifier, associated certificate, and/or other mechanism, or externalto the GFAS/GFKM such as GFAS/GFKM metadata and/or some other mechanism.

Representative attributes for a GFAS include, but are not limited to thefollowing.

1) A geo-fence description attribute 1210, which describes one or moregeo-fence area(s). The geo-fence description can be described inabsolute coordinates or be described in a relative fashion, either usingcoordinates or a landmark (e.g., within a particular building, within acertain area relative to a fixed coordinate or landmark, and so forth).

2) One or more identifiers for delegates 1212 (or some way ofidentifying appropriate delegates). Identifiers for delegates have beendescribed elsewhere. If there are no delegates, this attribute can beomitted.

3) A policy attribute 1214, which describes one or more policiesassociated with the GFKM. Policies and what they may contain have beendescribed extensively elsewhere. This attribute can be omitted if noadditional policies apply.

4) other information and/or attributes 1216.

Some embodiments also include some way of identifying associatedcryptographic key material. This can be an identifier, link, and/or someother mechanism.

Modules, Components and Logic

Certain embodiments are described herein as including logic or a numberof components, modules, or mechanisms. Modules may constitute eithersoftware modules (e.g., code embodied (1) on a non-transitorymachine-readable medium or (2) in a transmission signal) orhardware-implemented modules. A hardware-implemented module is tangibleunit capable of performing certain operations and may be configured orarranged in a certain manner. In example embodiments, one or morecomputer systems (e.g., a standalone, client or server computer system)or one or more processors may be configured by software (e.g., anapplication or application portion) as a hardware-implemented modulethat operates to perform certain operations as described herein.

In various embodiments, a hardware-implemented module may be implementedmechanically or electronically. For example, a hardware-implementedmodule may comprise dedicated circuitry or logic that is permanentlyconfigured (e.g., as a special-purpose processor, such as a fieldprogrammable gate array (FPGA) or an application-specific integratedcircuit (ASIC)) to perform certain operations. A hardware-implementedmodule may also comprise programmable logic or circuitry (e.g., asencompassed within a general-purpose processor or other programmableprocessor) that is temporarily configured by software to perform certainoperations. It will be appreciated that the decision to implement ahardware-implemented module mechanically, in dedicated and permanentlyconfigured circuitry, or in temporarily configured circuitry (e.g.,configured by software) may be driven by cost and time considerations.

Accordingly, the term “hardware-implemented module” should be understoodto encompass a tangible entity, be that an entity that is physicallyconstructed, permanently configured (e.g., hardwired) or temporarily ortransitorily configured (e.g., programmed) to operate in a certainmanner and/or to perform certain operations described herein.Considering embodiments in which hardware-implemented modules aretemporarily configured (e.g., programmed), each of thehardware-implemented modules need not be configured or instantiated atany one instance in time. For example, where the hardware-implementedmodules comprise a general-purpose processor configured using software,the general-purpose processor may be configured as respective differenthardware-implemented modules at different times. Software mayaccordingly configure a processor, for example, to constitute aparticular hardware-implemented module at one instance of time and toconstitute a different hardware-implemented module at a differentinstance of time.

Hardware-implemented modules can provide information to, and receiveinformation from, other hardware-implemented modules. Accordingly, thedescribed hardware-implemented modules may be regarded as beingcommunicatively coupled. Where multiple of such hardware-implementedmodules exist contemporaneously, communications may be achieved throughsignal transmission (e.g., over appropriate circuits and buses) thatconnect the hardware-implemented modules. In embodiments in whichmultiple hardware-implemented modules are configured or instantiated atdifferent times, communications between such hardware-implementedmodules may be achieved, for example, through the storage and retrievalof information in memory structures to which the multiplehardware-implemented modules have access. For example, onehardware-implemented module may perform an operation, and store theoutput of that operation in a memory device to which it iscommunicatively coupled. A further hardware-implemented module may then,at a later time, access the memory device to retrieve and process thestored output. Hardware-implemented modules may also initiatecommunications with input or output devices, and can operate on aresource (e.g., a collection of information).

The various operations of example methods described herein may beperformed, at least partially, by one or more processors that aretemporarily configured (e.g., by software) or permanently configured toperform the relevant operations. Whether temporarily or permanentlyconfigured, such processors may constitute processor-implemented modulesthat operate to perform one or more operations or functions. The modulesreferred to herein may, in some example embodiments, compriseprocessor-implemented modules.

Similarly, the methods described herein are at least partiallyprocessor-implemented. For example, at least some of the operations of amethod may be performed by one or more processors orprocessor-implemented modules. The performance of certain of theoperations may be distributed among the one or more processors, not onlyresiding within a single machine, but deployed across a number ofmachines. In some example embodiments, the processor or processors maybe located in a single location (e.g., within a home environment, anoffice environment or as a server farm), while in other embodiments theprocessors may be distributed across a number of locations.

The one or more processors may also operate to support performance ofthe relevant operations in a “cloud computing” environment or as a“software as a service” (SaaS). For example, at least some of theoperations may be performed by a group of computers (as examples ofmachines including processors), these operations being accessible via anetwork (e.g., the Internet) and via one or more appropriate interfaces(e.g., application program interfaces (APIs).)

Electronic Apparatus and System

Example embodiments may be implemented in digital electronic circuitry,or in computer hardware, firmware, software, or in combinations of them.Example embodiments may be implemented using a computer program product,e.g., a computer program tangibly embodied in an information carrier,e.g., in a machine-readable medium for execution by, or to control theoperation of, data processing apparatus, e.g., a programmable processor,a computer, or multiple computers.

A computer program can be written in any form of programming language,including compiled or interpreted languages, and it can be deployed inany form, including as a stand-alone program or as a module, subroutine,or other unit suitable for use in a computing environment. A computerprogram can be deployed to be executed on one computer or on multiplecomputers at one site or distributed across multiple sites andinterconnected by a communication network.

In example embodiments, operations may be performed by one or moreprogrammable processors executing a computer program to performfunctions by operating on input data and generating output. Methodoperations can also be performed by, and apparatus of exampleembodiments may be implemented as, special purpose logic circuitry,e.g., a field programmable gate array (FPGA) or an application-specificintegrated circuit (ASIC).

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other. Inembodiments deploying a programmable computing system, it will beappreciated that that both hardware and software architectures may beemployed. Specifically, it will be appreciated that the choice ofwhether to implement certain functionality in permanently configuredhardware (e.g., an ASIC), in temporarily configured hardware (e.g., acombination of software and a programmable processor), or a combinationof permanently and temporarily configured hardware may be a designchoice. Below are set out hardware (e.g., machine) and softwarearchitectures that may be deployed, in various example embodiments.

Example Machine Architecture and Machine-Readable Medium

FIG. 13 is a block diagram of a machine in the example form of aprocessing system within which may be executed a set of instructions forcausing the machine to perform any one or more of the methodologiesdiscussed herein including the functions, systems and flow diagrams ofFIGS. 1-12.

In alternative embodiments, the machine operates as a standalone deviceor may be connected (e.g., networked) to other machines. In a networkeddeployment, the machine may operate in the capacity of a server or aclient machine in server-client network environment, or as a peermachine in a peer-to-peer (or distributed) network environment. Themachine may be a personal computer (PC), a tablet PC, a set-top box(STB), a personal digital assistant (PDA), a cellular telephone, a smartphone, a tablet, a wearable device (e.g., a smart watch or smartglasses), a web appliance, a network router, switch or bridge, or anymachine capable of executing instructions (sequential or otherwise) thatspecify actions to be taken by that machine. Further, while only asingle machine is illustrated, the term “machine” shall also be taken toinclude any collection of machines that individually or jointly executea set (or multiple sets) of instructions to perform any one or more ofthe methodologies discussed herein.

The example of the machine 1300 includes at least one processor 1302(e.g., a central processing unit (CPU), a graphics processing unit(GPU), advanced processing unit (APU), or combinations thereof), a mainmemory 1304 and static memory 1306, which communicate with each othervia bus 1308. The machine 1300 may further include graphics display unit1310 (e.g., a plasma display, a liquid crystal display (LCD), a cathoderay tube (CRT), and so forth). The machine 1300 also includes analphanumeric input device 1312 (e.g., a keyboard, touch screen, and soforth), a user interface (UI) navigation device 1314 (e.g., a mouse,trackball, touch device, and so forth), a storage unit 1316, a signalgeneration device 1328 (e.g., a speaker), sensor(s) 1321 (e.g., globalpositioning sensor, accelerometer(s), microphone(s), camera(s), and soforth) and a network interface device 1320.

Machine-Readable Medium

The storage unit 1316 includes a machine-readable medium 1322 on whichis stored one or more sets of instructions and data structures (e.g.,software) 1324 embodying or utilized by any one or more of themethodologies or functions described herein. The instructions 1324 mayalso reside, completely or at least partially, within the main memory1304, the static memory 1309, and/or within the processor 1302 duringexecution thereof by the machine 1300. The main memory 1304, the staticmemory 1309 and the processor 902 also constituting machine-readablemedia.

While the machine-readable medium 1322 is shown in an example embodimentto be a single medium, the term “machine-readable medium” may include asingle medium or multiple media (e.g., a centralized or distributeddatabase, and/or associated caches and servers) that store the one ormore instructions or data structures. The term “machine-readable medium”shall also be taken to include any tangible medium that is capable ofstoring, encoding or carrying instructions for execution by the machineand that cause the machine to perform any one or more of themethodologies of the present invention, or that is capable of storing,encoding or carrying data structures utilized by or associated with suchinstructions. The term “machine-readable medium” shall accordingly betaken to include, but not be limited to, solid-state memories, andoptical and magnetic media. Specific examples of machine-readable mediainclude non-volatile memory, including by way of example semiconductormemory devices, e.g., erasable programmable read-only memory (EPROM),electrically erasable programmable read-only memory (EEPROM), and flashmemory devices; magnetic disks such as internal hard disks and removabledisks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The termmachine-readable medium specifically excludes non-statutory signals perse.

Transmission Medium

The instructions 1324 may further be transmitted or received over acommunications network 1326 using a transmission medium. Theinstructions 1324 may be transmitted using the network interface device1320 and any one of a number of well-known transfer protocols (e.g.,HTTP). Transmission medium encompasses mechanisms by which theinstructions 1324 are transmitted, such as communication networks.Examples of communication networks include a local area network (“LAN”),a wide area network (“WAN”), the Internet, mobile telephone networks,plain old telephone (POTS) networks, and wireless data networks (e.g.,WiFi and WiMax networks). The term “transmission medium” shall be takento include any intangible medium that is capable of storing, encoding orcarrying instructions for execution by the machine, and includes digitalor analog communications signals or other intangible media to facilitatecommunication of such software.

Although an embodiment has been described with reference to specificexample embodiments, it will be evident that various modifications andchanges may be made to these embodiments without departing from thebroader spirit and scope of the invention. Accordingly, thespecification and drawings are to be regarded in an illustrative ratherthan a restrictive sense. The accompanying drawings that form a parthereof, show by way of illustration, and not of limitation, specificembodiments in which the subject matter may be practiced. Theembodiments illustrated are described in sufficient detail to enablethose skilled in the art to practice the teachings disclosed herein.Other embodiments may be utilized and derived therefrom, such thatstructural and logical substitutions and changes may be made withoutdeparting from the scope of this disclosure. This Detailed Description,therefore, is not to be taken in a limiting sense, and the scope ofvarious embodiments is defined only by the appended claims, along withthe full range of equivalents to which such claims are entitled.

Such embodiments of the inventive subject matter may be referred toherein, individually and/or collectively, by the term “invention” merelyfor convenience and without intending to voluntarily limit the scope ofthis application to any single invention or inventive concept if morethan one is in fact disclosed. Thus, although specific embodiments havebeen illustrated and described herein, it should be appreciated that anyarrangement calculated to achieve the same purpose may be substitutedfor the specific embodiments shown. This disclosure is intended to coverany and all adaptations or variations of various embodiments.Combinations of the above embodiments, and other embodiments notspecifically described herein, will be apparent to those of skill in theart upon reviewing the above description.

What is claimed is:
 1. A method for altering the status of cryptographickey material, the method comprising: receiving, by a processor via anetwork, a geo-location update message from a system havingcryptographic key material used for authenticated communication, thegeo-location update message identifying the location of the system;accessing a geo-fence attribute set associated with the cryptographickey material, the attribute set comprising geo-fence information thatidentifies at least one geographic region and a policy that identifieswhen a status of the cryptographic key material is to be set to either asuspended state where the cryptographic key material will not be honoredto validate the system in an authenticated session or a reinstated statewhere the cryptographic key material will be honored to validate thesystem in an authenticates session; evaluating the location of thesystem relative to the geo-fence information; responsive to theevaluation of the location and the policy, setting the status of thecryptographic key material to either the suspended state when thelocation is not in compliance with the policy or the reinstated statewhen the location is in compliance with the policy.
 2. The method ofclaim 1, wherein the policy further comprises one of a schedule or atime period and wherein the method of claim 1 further comprises settingthe status of the cryptographic key material to the suspended state ifthe system does not comply with the policy.
 3. The method of claim 2wherein the policy comprises a time period and wherein the status of thecryptographic key material is set to suspended if the geo-locationupdate message was not received during the time period.
 4. The method ofclaim 1 further comprising determining whether the geo-location updatemessage is valid.
 5. The method of claim 1 further comprising decryptingthe geo-fence information included in the geo-fence certificate.
 6. Themethod of claim 5 further comprising decrypting information included inthe geo-location update message.
 7. The method of claim 1, wherein thecryptographic key material and the geo-fence attribute set are includedin a certificate.
 8. A system comprising: a processor; memory coupled tothe processor; instructions stored in the memory that, when executed bythe processor, cause the system to: receive, by the processor via anetwork, a geo-location update message from a device havingcryptographic key material used for authenticated communication, thegeo-location update message identifying the location of the device;access a policy comprising: a geo-fence attribute set associated withthe cryptographic key material, the attribute set comprising a geo-fencethat identifies at least one geographic region; and a set of conditionsunder which a status of the cryptographic key material is to be set toeither a suspended state where the cryptographic key material will notbe honored to validate the device in an authenticated session or areinstated state where the cryptographic key material will be honored tovalidate the device in an authenticates session; and cause the state ofthe cryptographic key material to be suspended if either the location ofthe device relative to the geo-fence indicates the state should besuspended or if the conditions indicate the state should be suspended.9. The system of claim 8, wherein the state is suspended if the deviceis outside the geo-fence.
 10. The system of claim 8 wherein the state issuspended if the device is inside the geo-fence.
 11. The system of claim8 wherein the conditions comprise a schedule indicating times when thecryptographic key material should be reinstated or times when thecryptographic key material should be suspended.
 12. The system of claim11 wherein the conditions comprise a time period within which thegeo-location update message is to be received or the cryptographic keymaterial will be suspended.
 13. A machine-readable medium havingexecutable instructions encoded thereon, which, when executed by atleast one processor of a machine, cause the machine to performoperations comprising: receive, by the processor via a network, ageo-location update message from a system having cryptographic keymaterial used for authenticated communication, the geo-location updatemessage identifying the location of the system; access a policycomprising: a geo-fence attribute set associated with the cryptographickey material, the attribute set comprising a geo-fence that identifiesat least one geographic region; and a set of conditions under which astatus of the cryptographic key material is to be set to either asuspended state where the cryptographic key material will not be honoredto validate the system in an authenticated session or a reinstated statewhere the cryptographic key material will be honored to validate thesystem in an authenticates session; and cause the state of thecryptographic key material to be suspended if either the location of thesystem relative to the geo-fence indicates the state should be suspendedor if the conditions indicate the state should be suspended.
 14. Themachine-readable medium of claim 13 wherein the geo-location updatemessage further identifies the policy.
 15. The machine-readable mediumof claim 13 wherein the executable instructions cause the machine toperform operations comprising: cause the state of the cryptographic keymaterial to be reinstated if the location of the system relative to thegeo-fence indicates the state should be reinstated and if the conditionsindicate the state should be reinstated.
 16. The machine-readable mediumof claim 13 wherein the conditions comprise a schedule to indicate whenthe cryptographic key material state is reinstated or when thecryptographic key material state is suspended.
 17. The machine-readablemedium of claim 13 wherein the conditions comprise a periodic schedulefor the system to send the geo-location update message in order for thecryptographic key material to maintain the state as reinstated.
 18. Themachine-readable medium of claim 17 wherein the state is set tosuspended if the system is outside the geo-fence.
 19. Themachine-readable medium of claim 13 wherein the executable instructionsto cause the state of the cryptographic key material to be suspendedcause machine to perform at least further operations comprising: removean identifier associated with the cryptographic key material on a secondsystem.
 20. The machine-readable medium of claim 13 wherein theexecutable instructions to cause the state of the cryptographic keymaterial to be reinstated cause machine to perform at least furtheroperations comprising: replace an identifier associated with thecryptographic key material on a second system.